What One-Time Passwords Could Do For Mobile

Smartphones will soon be wallets. They're already corporate data repositories. And finally, Yubico lets us stop using static passwords to lock it all down.

The user name/password combo is like the QWERTY keyboard--a suboptimal historical anachronism that by sheer force of inertia has persisted far past its time. It's not that more secure alternatives haven't come along. I designed a smart card-based one-time password system as part of Hewlett-Packard's first dial-in remote network access system more than 15 years ago. But OTP schemes haven't caught on for general use. They seldom have clean, intuitive interfaces. They tend to unduly disrupt people's daily routines. And as we use more Web apps, each with its own account database, hardware-based OTP implementations represent an administrative nightmare.

Ironically, SecurID, one of the most popular OTP systems and the one I used many years ago in my HP days, was hacked, and that cast a dark cloud over the credibility of the entire technology. This only complicates the lives of security professionals trying to convince skeptical CIOs to fund OTP projects. The selling job gets even harder when you realize that mobile devices, an afterthought for most OTP systems, are an increasingly significant part of the average worker's day.

Enter Yubico, a little Scandinavian company that might just have a better mousetrap. Five years ago, Jakob and Stina Ehrensvard set out to make strong authentication easy and affordable. The first fruit of that mission, the deceptively simple but surprisingly sophisticated YubiKey USB dongle, has already garnered more than 1 million users and 18,000 enterprise customers, including some A-list defense contractors, government agencies, and Fortune 500 companies.

The YubiKey is an OTP appliance for those who hate complexity. Unlike prior OTP implementations, the YubiKey doesn't require any special drivers or local client software because it acts as a fancy keyboard, appearing to any system as a USB human interface device. That means it works just as well on Linux and OS X as Windows. Once connected, the YubiKey has one function: converting a cryptographically strong (a hash of an AES key), unique, one-time password into a long series of keyboard-compatible ASCII characters every time you touch its one and only button. Each randomly generated sequence (see details [PDF]) incorporates a static, 48-bit public identity and a 128-bit OTP string. The YubiKey's simplicity is exemplified in a tiny, utilitarian, low-cost design that translates to a price of only $25 for single units; that drops to $15 in volume. Better still, the software for integrating the YubiKey into applications is open source, with an active community of developers having already published utilities allowing the YubiKey to authenticate to Windows AD, Google Apps, SAML, OAuth and several password managers, including LastPass.

While promising, the YubiKey is far from a perfect password replacement. First, like prior OTP efforts, it requires server- and application-side support. Obviously cognizant of this roadblock, Yubico has released its own cloud authentication service for end users and fostered support for other authentication services, like LastPass and OneLogin, along with federated login systems like OAuth and SAML. Yet there's a more fundamental obstacle in this post-PC era: USB ports are about as common as floppy disks, and unlikely to ever appear on Apple's category-defining iPhone and iPad. If only there were a secure (make that very secure), local (make that very local) wireless technology.

Well, there is, and it turns out that near field communication may end up being more than just a replacement for magnetic stripe readers. Yubico sees NFC as an ideal interface for OTP tokens, and its new YubiKey NEO uses the same cryptographic engine but adds an NFC radio to the original product's USB port. Like the original, the NEO's software is customizable; however, instead of sending a key sequence out the USB port, Stina Ehrensvard says the typical response to a button-press on a smartphone will be to launch the browser and display a programmable URL that includes the OTP. No custom app necessary. The NEO also supports the same suite of services and standards, including LastPass, Google Apps, SAML, and OAuth. Although NFC is designed as a secure wireless protocol that works over at most a few inches, Ehrensvard says Yubico's implementation opted to eliminate any possibility of wireless intercept by requiring that the NEO be in physical contact with the mobile device.

Finally, as a nascent technology, there are bound to be device compatibility kinks to iron out before NFC approaches USB-level simplicity. Look at how long Bluetooth has been around and the headaches it still creates when trying to pair a new headset or keyboard. When pressed about these roadblocks, Ehrensvärd admits that NFC might not be the only mobile OTP interface. Although not ready to announce details, she says Yubico sees a way of using another port that's guaranteed to be on every phone, tablet, and (hint) even music player, to transmit OTP codes.

Yet bringing OTP to mobile devices is more than just a hardware problem. Application support and user acceptance are also roadblocks. Although Yubico's open source software model, active developer community, and demonstrated support by thousands of enterprise customers offers hope that the software issues aren't insurmountable, user behavior is a tougher nut to crack. When many people still don't protect their phones with a screen-lock PIN, it's hard to be too optimistic about their willingness to drag out a keychain every time they want to log in to a website or app. However, perhaps the burden of remembering a growing list of account names and passwords will create a tipping point where the inconvenience of a hardware token is less than that of a hacked account.

Kurt, I liked your piece and its forward-looking perspective. You nailed it when you brought up the issue of users carrying an extra device for authentication - they won't! Gartner, and other analysts, along with user trials will attest to this fact. Mobile enables OOBA and voice biometrics (maybe facial too) and opens new frontiers in security.

Re: app support. That's why Yubico's support for federated authentication systems and standards like OAuth and SAML are so important. Look at how many services are already tied to your Google, Twitter, Facebook, Windows Live or iTunes account. Most cloud services don't want to reinvent the user account/identity/authentication wheel and would rather just leverage what Google, Microsoft and Apple have already put together. If just a few of these (Google already does) support federated OTP, it could make a big difference.

User acceptance is a tougher issue, but dead simple devices like YubiKey certainly mitigate this. Having your ID stolen also tends to focus the mind. It's like the old saw that a conservative is a liberal who got mugged. As another commenter pointed out, smartphone-based biometrics might be another option, but unless these use the biometric with some sort of embedded TPM chip to generate a OTP, they're still subject to MITM and replay attacks.

I agree that this additional hardware is a huge problem. I don't see this catching on widely unless it can be integrated into all mobile devices including phones and tablets. Otherwise, it will fall by the wayside as just yet another security token device. Some companies might enforce a security policy that requires that you have it as their employee, like carrying a badge or keycard, but other than that, the reasons for carrying another device will never be compelling enough for the average user. On the other hand, what if it were integrated into something that can be inserted into all mobile devices, like a microSD card that can automatically use a combination button-press/biometric fingerprint scan on its host device to release the one-time password? However, in that case, the microSD tokens will be commonly lost as devices are stolen or someone forgets to remove their microSD card. Plus, it is unlikely that all mobile devices across all makers, models, and device types will allow such a common and freely available button-press/biometric scan API. Is it safe to say that this is strictly a business security solution?

Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.

Worries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?